We need to talk about cybersecurity

Article share options

Share this on

Send this by

The Federal Government talks about the internet as an "unbridled force", but the latest revelation about Chinese espionage shows cyberspace is no longer free of government influence, writes Simon Hansen.

Fresh claims about the extent of China's cyber-espionage activities in Australia have surfaced this week. Predictably, the Australian Government remains tight-lipped.

Australian Financial Review sources allege that the Chinese intelligence agencies that penetrated Australia's parliamentary computer network in 2011 may have been inside the system for up to a year - much longer than previously assumed.

This revelation raises serious questions about Australia's public and private sector cybersecurity in an increasingly interconnected world. It has also renewed anxiety about government information security standards, only one year after Four Corners revealed that Chinese hackers allegedly stole top-secret blueprints of spy agency ASIO's new headquarters.

The government has yet to comment on the recent cyber attacks, and the issue is likely to fade as quickly as it flared.

"This is a national security scandal. What makes it more scandalous is the deafening silence from the Government and the Opposition," Senator Nick Xenophon said on Monday. He has since called for a parliamentary inquiry, and he is right to do so.

A lack of mature discussion about Australia's cybersecurity threats will ultimately jeopardise Australia's future security and prosperity. Despite the long-held tradition of not speaking on intelligence and security matters, there is a likelihood that not debating these issues will obfuscate real risks for Australia.

After month-on-month disclosures of leaked documents by renegade Edward Snowden - including the Indonesian spying scandal - it's high time to recognise offensive operations in cyberspace. Keeping threats in the dark does nothing for building awareness about the growing challenges posed by offensive cyber activities. There are more hazards for Australia in not saying anything, than saying something.

There are a number of recent reports that highlight increasing risks to business and government from nation states, let alone criminals and other non-state threats.

The M-Trends 2014 Threat Report by Mandiant - the company that established links between the People's Liberation Army and their widespread cyber espionage campaign last year - has identified that state actors such as Iran and China are continuing to advance their offensive cyber activities.

American telecom heavyweight Verizon has detailed in its 2014 data breach report trends that show increasing cyber espionage and denial-of-service attacks.

The Australian Strategic Policy Institute has released a cyber maturity paper that addresses the increasingly complex and potentially adversarial nature of cyberspace.

Finally, former director of the Australian Signals Directorate, Ian McKenzie, has commented on the wide-ranging threats facing Australia, and the shared vulnerabilities between the public and private sector.

The changing cybersecurity landscape demands policy attention. Challenges in this area are more likely to build than to dissipate.

In regards to this week's alleged Chinese cyber attacks, there are a number of reasons why the government may be avoiding a response and preferring to speak in hushed tones.

For Australia, on the back of Prime Minister Tony Abbott's successful visit to China, the elevation of cyber attacks as a political issue would significantly stress our bilateral relationship.

Foreign Minister Julie Bishop learned that lesson when she voiced opposition to China's establishment of an Air Defence Identification Zone in the East China Sea in November last year. She received a stiff rebuke from China's Foreign Ministry, which labelled her comments 'irresponsible'.

This time around China has pre-emptively cut off political discussion. China's Ministry of Foreign Affairs spokesperson Qin Gang has reinforced China's position on cyber attacks and warned "relevant media to avoid making groundless accusations".

Another reason to avoid the issue is the sensitive nature of the Indonesian spying scandal. It would make Australia appear embarrassingly hypocritical if we cried foul to cyber espionage. After all, Australia is a regional leader in signals intelligence.

Offending China and playing the hypocrite are two good reasons to be circumspect about calling out cyber attacks. But Australia doesn't have to call out foreign states in order to raise cybersecurity on the domestic policy agenda.

I don't argue that we need to talk explicitly about the nature of specific cyber attacks - that really is a matter of national security. But by keeping the issue quiet, the government misses an opportunity to raise real risks facing Australia, particularly with regard to the increasing role of the state in cyberspace.

For example, the theft of intellectual property from a small business in Australia by a foreign state's cyber espionage activities could boost the international competitiveness of their economy, at the expense of ours. Another challenge is that technology has blurred the lines between government and business sectors. A threat to privately owned critical infrastructure is a threat to Australia's national security.

These challenges require two-way public-private dialogue. Political vigour - rather than reticence - is needed, as an enriched public discussion will provide clarity and awareness about burgeoning threats.

Now is an opportune time to take a lead on the issue. The fundamentals of Australia's cyber organisation are strong, but there is a need for better clarity on policy leadership. The last Cybersecurity White Paper was released five years ago, and there is significant ambiguity about cyber leadership after the abolition of the Deputy National Security Advisor position.

Communications Minister Malcolm Turnbull recently said at the launch of a cyberspace research program at the Australian National University that "the internet has grown without government direction, it has grown across borders and defied, constrained and on occasions toppled tyrants. Its benefits are incalculable."

This is a powerful portrayal of the internet, an unbridled force that presents opportunities and vulnerabilities for all.

But cyberspace is no longer free of government influence. States are utilising information resources to achieve their national objectives. This includes infiltrating Australia's parliamentary email system to understand the political climate and critical relationships.

Australia will do well to further the debate on cybersecurity issues, as our future security and prosperity is inextricably linked to cyberspace. We all have a stake in the digital age and its time for policy leaders to raise the bar.

Simon Hansen is an intern with Australian Strategic Policy Institute's International Cyber Policy Centre. View his full profile here.